Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Authentication (User) Blog

Are Clouds of Change Looming over Perimeter Security?

Created: 26 Jun 2009 • Updated: 08 Aug 2012 • 1 comment
nicolas_popp's picture
0 0 Votes
Login to vote

Although the managed security services (MSS) is a relatively well understood and mature market, a few innovating startups are beginning to challenge the current structure of perimeter security. The interesting question at hand is whether the rapid emergence of cloud computing and the de-centralization it engenders challenge the whole notion of perimeter security, forcing our industry to re-invent today's approach to managed security services.

Today's managed security service providers (MSSPs) essentially offer perimeter security management outsourcing. Customers still have to buy and deploy in-premise security equipment such as firewalls, IPD, IDS and the rest. The tedious day to day management and continuous policy process is delegated to the cloud, but the security boxes remain. From that standpoint, todays managed security services fall short from moving the infrastructure cost and complexity of perimeter security to the cloud.

cloudsec.pngThis brings the question of what happens to perimeter security when enterprise mission critical data and applications start migrating off the IT network to the cloud? How does an enterprise create, enforce and maintain security, access and auditing policies in a world where sales data reside at SalesForce.com, and departmental applications are running on Google App engine, Microsoft Azure or Amazon EC2? In short, what does perimeter security mean when the perimeter extends beyond the familiar boundaries of today's corporate network?

One approach is for SalesForce, Microsoft, and Google to create a home-grown perimeter security management service, on top of their respective cloud infrastructure. Of course, the PAAS (Platform as a Service) vendors will have to enable their cloud perimeter to be flexible enough to adjust to policy requirements as diverse as their customer base. Of course, since applications will migrate across machines depending on load, these polices need to be able to follow the data and applications across data-centers, servers and virtual machine slices dynamically. In many ways, this means that perimeter security has to be virtualized in the same ways as the virtualized data and applications that they are attempting to protect. The problem with this model is to force PAAS providers to go beyond their initial core competency. To go from Web services infrastructure providers driven by large economy of scales, to full IT infrastructure security & compliance provider. That is a lot of complexity and competency to absorb, even for a Google or a Microsoft.

Another model would be for the PAAS to think as a true platform provider and enable specialized security vendors to start building such services on top of their platform. In that model, MSSPs would start building virtualized, multi-tenant perimeter infrastructure on top of their favorite PAAS, and then, sell perimeter security as a service within these environments to their customer base. Obviously, this would require a different platform than the current MSS infrastructures. Moreover, MSS providers would have to adapt to each specific PAAS, forcing them to make strategic choices and restrict them to a few partners, who may not fit what their customers want in the first place.

The last alternative would be the emergence of standalone network security services in their own cloud (separate from the PAAS). The new security cloud would acts as a virtual perimeter by funneling, inspecting, filtering and policing all traffic. Think of the perimeter as dissolving and being replaced by a defense network that consistently protects all corporate network assets independently of where these assets live: within an enterprise, within a SAAS, within a PAAS. For the same reason that Web application software tends to be very different than security software (industry consolidation aside), it would enable cloud providers to focus on what they do best: a cloud to build and deploy custom apps, a cloud to secure them. For the customer, it would enable one single set of policies to be defined, implemented and enforced in a single place independently of the where network application and data actually reside (inside or outside the enterprise).

This is somewhat similar to the concept of "clean pipe" that many MSSPs have been contemplating for several years. The difference is that the move to the cloud and SAAS becomes the compelling driving force that shifts today's legacy deployment model of network perimeter security towards a true in-cloud model. The exact timing of such transition remains unclear, but if one believes that cloud computing is an unstoppable trend, perimeter security may be due for significant transformation in the years to come.

Blog Entry Filed Under:

Comments 1 CommentJump to latest comment

Justin Foster's picture

You bring up some very good points here. In Public IaaS the end user still has some control over security (at least host-based), for PaaS and SaaS it's up to the service provider. In all of these cases there isn't the opportunity right now to provide 'virtual perimeter' that MSSPs can control (Other than maybe firewall ACLs).

I really like your second suggestion. If the providers open up control of 'virtual perimiters' for each tenant I can see, as you suggest, the oppertunity for MSSPs to work well. Virtual Appliances would be a nice fit here.

It's likely a tremendous challenge for the providers to manage the virtual routing this would require in a highly agile datacenter.

Maybe then your 3rd option would be more suitable. Use Security as a Service and proxy traffic through it (Similar to what Zscaler and Purewire do for end-points)

Well Done!

+2
Login to vote